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General description of the incident 
The Austrian supervisory body has received a report on a weakness of the “asymmetric crypto library” 
which is used by several qualified electronic signature devices produced by Atos IT Solutions and 
Services GmbH, Munich, in particular * “CardOS V5.0 with Application for QES, V1.0” and * “CardOS 
V5.3 QES, V1.0”. The problem affects generating electronic signature creation data for use with the 
RSA algorithm. There is no evidence of weaknesses in generating electronic signature creation data 
for ECDSA or in creating electronic signatures by means of either RSA or ECDSA. Due to the 
mentioned weakness, a qualified trust service provider established in Austria revoked all qualified 
certificates issued prior to 9 June 2017 and informed both the public and the signatories affected. 

Duration (in hours) 


Percentage of subscribers affected 
Severity of the incident 
3 
Year 
2017 
Personal data impacted 
Electronic signature creation data 
Number of subscriptions 
29 
Cross border impact 
Yes 
Services affected 


e Creation of (qualified) certificates for electronic signatures 
e Creation of (qualified) certificates for electronic seals service 
e Creation of electronic timestamps service 


Asset types affected 


e Qualified electronic signature creation devices 


Category of impact 
Confidentiality 

Impact on assets 
High 

Trust service concerned 
Qualified 

Root cause category 


e Third party failures 
Detailed causes 
e Algorithms for generating electronic signature creation data 


Actions taken 
Revocation of qualified certificates 
Lessons learned 


Mitigating security measures 


Other authorities notified, nationally 
Other authorities notified, abroad 
yes, SBs 
Customers affected notified 
yes, by TSP 
Public informed 
yes, by TSP 
Information disclosure by supervisory body under freedom of information legislation 


